Attackers try to compromise Magento with a fake patch

Attackers are still trying to find Magento installations that haven't patched a particularly bad vulnerability, this time trying to trick people into downloading a fake patch.

The bogus patch purports to fix a flaw known as the Shoplift Bug, or SUPEE-5344, wrote Denis Sinegubko, a senior malware researcher with Sucuri.

"While the patch was released February 2015, many sites unfortunately did not update," he wrote. "This gave hackers an opportunity to compromise thousands of Magento powered online stores."

Magento, which eBay sold to
investment fund Permira in November, is one of the most popular
e-commerce and content management platforms. It's used by companies
including Nike, Olympus and Ghirardelli Chocolate.

The Shoplift Bug is a remote code execution vulnerability. If exploited, it can give attackers administrative access to an e-commerce store. At that point, a range of bad outcomes are possible.

Other fraudulent administrator accounts can be create or other malware installed. Sinegubko wrote hackers appended JavaScript to certain files that stripped out payment card information or modified PHP files to collect payment information during processing.

"Regardless of technique employed, the results were the same; customer credit card information was being stolen and siphoned off to the hackers," he wrote.

Even nine months after Magento patched the Shoplift Bug, a rash of new infections was detected that delivered the Neutrino exploit kit. In those instances, compromised Magento sites pulled content from a malicious domain that tried to deliver malware to victims using Neutrino.

The vulnerable Magento versions are CE prior to 1.9.1.1 and EE prior to 1.14.2.0.

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.